From 0b762a19a765d1a7e7f8e0e7caac1706f7ca02d1 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Fri, 13 Oct 2023 09:11:25 +0200 Subject: [PATCH] Resolves: RHEL-3541 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router --- 0014-CVE-2023-38802.patch | 129 ++++++++++++++++++++++++++++++++++++++ frr.spec | 6 +- 2 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 0014-CVE-2023-38802.patch diff --git a/0014-CVE-2023-38802.patch b/0014-CVE-2023-38802.patch new file mode 100644 index 0000000..728db32 --- /dev/null +++ b/0014-CVE-2023-38802.patch @@ -0,0 +1,129 @@ +From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Thu, 13 Jul 2023 22:32:03 +0300 +Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute + +Before this path we used session reset method, which is discouraged by rfc7606. + +Handle this as rfc requires. + +Signed-off-by: Donatas Abraitis +(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186) +--- + bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 36 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 058fae23cbd..1c0803cfd8e 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_LARGE_COMMUNITIES: + case BGP_ATTR_ORIGINATOR_ID: + case BGP_ATTR_CLUSTER_LIST: ++ case BGP_ATTR_ENCAP: + return BGP_ATTR_PARSE_WITHDRAW; + case BGP_ATTR_MP_REACH_NLRI: + case BGP_ATTR_MP_UNREACH_NLRI: +@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) + } + + /* Parse Tunnel Encap attribute in an UPDATE */ +-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ +- bgp_size_t length, /* IN: attr's length field */ +- struct attr *attr, /* IN: caller already allocated */ +- uint8_t flag, /* IN: attr's flags field */ +- uint8_t *startp) ++static int bgp_attr_encap(struct bgp_attr_parser_args *args) + { +- bgp_size_t total; + uint16_t tunneltype = 0; +- +- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); ++ struct peer *const peer = args->peer; ++ struct attr *const attr = args->attr; ++ bgp_size_t length = args->length; ++ uint8_t type = args->type; ++ uint8_t flag = args->flags; + + if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) + || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { +- zlog_info( +- "Tunnel Encap attribute flag isn't optional and transitive %d", +- flag); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", ++ flag); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + if (BGP_ATTR_ENCAP == type) { +@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + uint16_t tlv_length; + + if (length < 4) { +- zlog_info( ++ zlog_err( + "Tunnel Encap attribute not long enough to contain outer T,L"); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + tunneltype = stream_getw(BGP_INPUT(peer)); + tlv_length = stream_getw(BGP_INPUT(peer)); +@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + } + + if (sublength > length) { +- zlog_info( +- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", +- sublength, length); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", ++ sublength, length); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + /* alloc and copy sub-tlv */ +@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + + if (length) { + /* spurious leftover data */ +- zlog_info( +- "Tunnel Encap attribute length is bad: %d leftover octets", +- length); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", ++ length); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + return 0; +@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + case BGP_ATTR_VNC: + #endif + case BGP_ATTR_ENCAP: +- ret = bgp_attr_encap(type, peer, length, attr, flag, +- startp); ++ ret = bgp_attr_encap(&attr_args); + break; + case BGP_ATTR_PREFIX_SID: + ret = bgp_attr_prefix_sid(&attr_args); diff --git a/frr.spec b/frr.spec index 7caecdc..ebf8b58 100644 --- a/frr.spec +++ b/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.3.1 -Release: 11%{?checkout}%{?dist} +Release: 12%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -76,6 +76,7 @@ Patch0010: 0010-CVE-2022-43681.patch Patch0011: 0011-CVE-2022-40318.patch Patch0012: 0012-bfd-not-working-in-vrf.patch Patch0013: 0013-bgpd-maxttl-ebgp-multihop.patch +Patch0014: 0014-CVE-2023-38802.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -281,6 +282,9 @@ make check PYTHON=%{__python3} %endif %changelog +* Fri Oct 13 2023 Michal Ruprich - 8.3.1-12 +- Resolves: RHEL-3541 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router + * Thu Sep 21 2023 Carlos Goncalves - 8.3.1-11 - Resolves: RHEL-2263 - bgpd: Do not explicitly print MAXTTL value for ebgp-multihop vty output